Resource Certification for non-RIPE NCC Members
This proposal intends to allow the RIPE NCC to issue resource certificates for non-members, such as Provider Independent End Users and Legacy address space holders, who reside in the the RIPE NCC Service Region.
Summary of Proposal
Currently, the RIPE NCC Resource Certification (RPKI) service is only available for RIPE NCC members. This proposal intends to allow the RIPE NCC to issue resource certificates for non-members, such as Provider Independent End Users and Legacy address space holders, which reside in the RIPE NCC Service region.
New policy text
[Following text will result in a new RIPE Policy Document “Policy for Resource Certification for non-RIPE NCC Members”, if the proposal reaches consensus]
This policy allows the RIPE NCC to issue resource certificate for non-RIPE NCC members such as Provider Independent (PI) End Users and Legacy Address Space holders.
2.0 Certification of resources held by non-RIPE NCC members
When requested, the RIPE NCC will issue a certificate for Internet resources held by non-RIPE NCC member organisations, provided that:
- The organisation proves that they are the legitimate holder of the resources
- The Internet resources reside within the RIPE NCC service region
In order to be eligible for resource certification, PI End Users must comply with the RIPE policy “Contractual Requirements for Provider Independent Resource Holders in the RIPE NCC Service Region” . The contract with the sponsoring LIR must be verified and approved by the RIPE NCC.
PI End Users can optionally have their sponsoring LIR to act as an intermediary in this process.
This document is developed by the RIPE community.
The following people actively contributed by making proposals through the RIPE Policy Development Process:
Arguments supporting the proposal
Resource Certification (RPKI) – and specifically the BGP Origin Validation functionality that it provides – is only a viable solution if all address space that falls under the authority of the RIR can be covered by a certificate and a Route Origin Authorisation (ROA). A partial implementation is as useful in the real world as no implementation at all.
As it stands, around 9000 address space holders in the RIPE NCC service region can make use of the functionality that RPKI currently offers and about 18,000 other resource holders who are not members can't.
Arguments opposing the proposal
Resource Certification could be regarded as a member-only service. This means every address space holder in the RIPE NCC service region who wishes to use the Resource Certification service should become a RIPE NCC member.
However there are cases known where for instance current PI holders can’t enter into a member agreement with the RIPE NCC, which would exclude them from using Resource Certification.